Min Luo,Lina Wang,Huanguo Zhang,Jin Chen

DOI: https://doi.org/10.1007/bf02900819

2003-01-01

Abstract:An unsupervised clustering-based intrusion detection algorithm is discussed in this paper. The basic idea of the algorithm is to produce the cluster by comparing the distances of unlabeled training data sets. With the classified data instances, anomaly data clusters can be easily identified by normal cluster ratio and the identified cluster can be used in real data detection. The benefit of the algorithm is that it doesn’t need labeled training data sets. The experiment concludes that this approach can detect unknown intrusions efficiently in the real network connections via using the data sets of KDD99.

叶芳,吴中福,刘勇国

DOI: https://doi.org/10.3969/j.issn.1000-582x.2004.03.011

2004-01-01

Abstract:Traditional abnormal detection methods need a reference model with a profile of normal action, but building the character profile and specifying threshold of abnormal alarm are difficult. So this paper puts forward intrusion detection in combination with clustering and data processing . This algorithm comes true dynamicly updating the center of cluster and the biggest distance within cluster with fast convergence. The effect is better with the help of pre-processing the data. By means of simulated experiments, this algorithm is proved feasible and efficient for unknown intrusion detection.

Y Feng,ZF Wu,KG Wu,ZY Xiong,Y Zhou

DOI: https://doi.org/10.1109/icmlc.2005.1527630

2005-01-01

Abstract:An approach to network intrusion detection is investigated, based on swarm intelligence. The basic idea of the method is to produce the cluster by swarm intelligence-based clustering. With the classified data instances, anomaly data clusters can be easily identified by normal cluster ratio. And then the identified cluster can be used in real data detection. In the traditional clustering-based intrusion detection algorithms, clustering using a simple distance-based metric and detection based on the centers of clusters, which generally degrade detection accuracy and efficiency. Our approach based on swarm intelligence can settle these problems effectively. The experiment result shows that our approach can detect unknown intrusions efficiently in the real network connections.

LI Na,ZHONG Cheng

DOI: https://doi.org/10.3969/j.issn.1000-3428.2008.02.040

2008-01-01

Abstract:Information entropy theory is applied to the clustering problem for intrusion detection,and the distances for mixed attributes between two data items,data and clusters,and two clusters are defined. By applying overall similarity to evaluate the cluster quality for merging clusters,an unsupervised anomaly detection algorithm based on partition and agglomerative hierarchical clustering,is presented. The algorithm analysis and experimental results show that this algorithm obtains good detection performance and can detect efficiently the new unknown intrusions.

Xinyu Li

2011-01-01

Abstract:A distance measurement method based on weighted features of heterogeneous data which is designed to response for network intrusion detection traffic data samples heterogeneity of Characteristics properties and differences of contribution rates between properties has been put forward in this paper.For the Fuzzy C-means clustering algorithm for network intrusion detection problem is difficult to determine the number of clustering,this paper proposes the unsupervised fuzzy clustering algorithm for intrusion detection that automatically determine the optimal clustering number.These results of simulations run on the KDDcup1999 data sets show that the algorithm has efficient performance in clustering number optimization and effectively increases the detection degree of clustering intrusion detection.

WEI Xiang-he,LI Qian-mu,ZHANG Hong

DOI: https://doi.org/10.3969/j.issn.1001-3695.2007.07.049

2007-01-01

Abstract:A new detection method based on unsupervised learning was designed and implemented,which had the ability of discovering unknown kinds of attacks.It could be used not only as an independent analysis method,but also as an IDE(Intrusion Detection Engine) in intrusion detection based on data fusion.In method,max-min distance algorithm was employed as the core clustering algorithm,and some other techniques were also involved,such as nonlinear normalization pretreatment,efficiency coding of non-numerical feature etc.Its detection rate is distinctively higher than that of similar methods under the same experimental conditions,at the same false positive rate,especially for attacks from DoS and Probing.

ZHONG Jiang,WU Kai-Gui,WU Zhong-Fu,LI Ji,OU Ling

2005-01-01

Computer Science

Abstract:Traditional intrusion detection methods lack extensibility in face of changing network configurations as well as adaptability in face of unknown attack types. Meanwhile, current machine-learning algorithms need labeled data for training first, so they are computational expensive and somethaes misled by artificial data. In this paper, a new detection algorithm, the Intrusion Detection Based on Immune Clustering algorithm, is proposed. It can automatically establish clusters and detect intruders by compute the outlier factor of each data item. Computer simulations show that this algorithm is effective for intrusion detection.

Y Feng,KG Wu,ZF Wu,J Zhong,H Li

DOI: https://doi.org/10.1142/9789812701534_0110

2005-01-01

Abstract:A clustering algorithm based on swarm intelligence is systematically proposed for anomaly intrusion detection. The basic idea of our approach is to produce the cluster by swarm intelligence-based clustering. Instead of using the linear segmentation function of the CSI model, here we propose to use a nonlinear probability conversion function and can help to solve linearly inseparable problems. With the classified data instances, anomaly data clusters can be easily identified by normal cluster ratio. And then the identified cluster can be used in real data detection. In the traditional clustering-based intrusion detection algorithms, clustering using a simple distance-based metric and detection based on the centers of clusters, which generally degrade detection accuracy and efficiency. Our approach can settle these problems effectively. The experiment result shows that out approach can detect unknown intrusions efficiently in the real network connections.

Yonghong Yu,Hao Huang

2006-01-01

Abstract:An anomaly intrusion detection algorithm based on semi-supervised clustering along with k-nearest neighbor was presented.It could solve the problem of the insufficiency of training samples that the intrusion detection algorithms based on supervised learning face.The algorithm exploited minimal labeled data to improve its learning capability,and novelty detection could also be carried out.The experiment results manifest that the detection results of the algorithm precedes the one based on unsupervised learning remarkably,and approaches the one based on supervised learning while the labeled data are few.

Yongguo Liu,Xiaofeng Liao,Xueming Li,Zhongfu Wu

DOI: https://doi.org/10.3233/ida-2004-8402

IF: 1.7

2004-01-01

Intelligent Data Analysis

Abstract:Traditional methods of intrusion detection lack the extensibility in face of changing network configurations and the adaptability in face of unknown intrusion types. Meanwhile, current machine-learning algorithms for intrusion detection need labeled data to be trained, so they are expensive in computation and sometimes misled by artificial data. In order to solve these problems, a new detection algorithm is proposed in this paper, the Intrusion Detection Based on Tabu Clustering (IDBTC) algorithm. It can automatically set up clusters and detect intrusions by labeling normal and abnormal groups. Computer simulations show that this algorithm is effective for intrusion detection.

SHI ZHONG,TAGHI M. KHOSHGOFTAAR,NAEEM SELIYA

DOI: https://doi.org/10.1142/s0218539307002568

2007-04-01

International Journal of Reliability, Quality and Safety Engineering

Abstract:Recently data mining methods have gained importance in addressing network security issues, including network intrusion detection — a challenging task in network security. Intrusion detection systems aim to identify attacks with a high detection rate and a low false alarm rate. Classification-based data mining models for intrusion detection are often ineffective in dealing with dynamic changes in intrusion patterns and characteristics. Consequently, unsupervised learning methods have been given a closer look for network intrusion detection. We investigate multiple centroid-based unsupervised clustering algorithms for intrusion detection, and propose a simple yet effective self-labeling heuristic for detecting attack and normal clusters of network traffic audit data. The clustering algorithms investigated include, k-means, Mixture-Of-Spherical Gaussians, Self-Organizing Map, and Neural-Gas. The network traffic datasets provided by the DARPA 1998 offline intrusion detection project are used in our empirical investigation, which demonstrates the feasibility and promise of unsupervised learning methods for network intrusion detection. In addition, a comparative analysis shows the advantage of clustering-based methods over supervised classification techniques in identifying new or unseen attack types.

CHENG Meng-ju,ZHAO Long,TAO Hong-bo,ZHAO Cheng-lin

DOI: https://doi.org/10.3969/j.issn.1003-3106.2013.11.002

2013-01-01

Radio Engineering

Abstract:In order to address the issue in intrusion detection approaches based on unsupervised clustering that clustering centers and number have to be pre-defined,this paper proposes an intrusion detection approach based on affinity propagation clustering. This approach regards each data point as potential clustering center to equally and automatically determine final clustering centers and number by updating messages exchanged between data points,and can obtain accurate clustering result. The proposed approach is proved to be feasible by the experiment implemented on KDD CUP99 dataset,and the result of experiment shows that this approach can effectively improve detection rate comparing to traditional clustering approaches.

Caihong Wang,Run Huang,Weihang Zhang,Jian Sun

DOI: https://doi.org/10.1109/iccwamtip47768.2019.9067642

2019-01-01

Abstract:The main purpose of the intrusion detection system (IDS) is to detect a network attack and respond to the network intrusion. Existing supervised IDSs require a large amount of tag data as the training data, and there is almost no effect on the unknown attacks. Traditional unsupervised intrusion systems have problems including low accuracy and the inability to provide specific information regarding the detected attacks. To solve the above problems, we propose a multilayer IDS based on semi-supervised clustering. This system solves the problem of insufficient training data by using tag extension technology and genetic algorithm, and solves the problem of unsupervised clustering unable to provide specific information of attack by using the idea of semi-supervised clustering. We use the NSL-KDD dataset to conduct the experiments. The simulation results show that the proposed IDS only needs a small amount of training data to obtain better performance, especially for lower frequency attacks.

Liang Hu, Nurbol,Xiaobo Liu,Kuo Zhao

2010-01-01

Journal of Information and Computational Science

Abstract:This paper proposed a new algorithm based on time stamped hierarchical clustering for intrusion detection. It incrementally clusters incoming data objects of normal behavior, and produces a precise model. Using each clusters time stamp, the algorithm can dynamically remove some expired clusters from the model, and also can produces some new cluster, that makes our clustering method more suitable for real network environment. Experiments with KDDCUP 1999 data set show our algorithm is less sensitive to noise data objects than ADWICE, and has low computer resource consumptions. Copyright © 2010 Binary Information Press.

YG Liu,KF Chen,XF Liao,W Zhang

DOI: https://doi.org/10.1016/j.patcog.2003.09.011

IF: 8

2004-01-01

Pattern Recognition

Abstract:Traditional intrusion detection methods lack extensibility in face of changing network configurations as well as adaptability in face of unknown attack types. Meanwhile, current machine-learning algorithms need labeled data for training first, so they are computational expensive and sometimes misled by artificial data. In this paper, a new detection algorithm, the Intrusion Detection Based on Genetic Clustering (IDBGC) algorithm, is proposed. It can automatically establish clusters and detect intruders by labeling normal and abnormal groups. Computer simulations show that this algorithm is effective for intrusion detection.

Wang Lifang

DOI: https://doi.org/10.4304/jnw.8.6.1278-1284

2009-01-01

Abstract:Intrusion detection system is automatic system which recognize intrusions to computers or computer network systems. Existing security detection system has many problems such as wrong detection of intrusions, missed intrusions, poor real-time performance. An intrusion detection algorithm is developed by combining a rough set algorithm with intrusion detection technology for security detection, attribute reduction, production of detection rules, and finally analysis of intrusion data with these rules. Based on it, a new rough set attribute-weighted clustering algorithm is used in network intrusion detection. Test rules show that the intrusion detection algorithm is more efficient than algorithm based on BP (back propagation) neural networks and vector machines, thereby, improving the detection ratio and reduces the wrong detection ratio. The system provides detection service effective for information system.

Guo Pu,Lijuan Wang,Jun Shen,Fang Dong

DOI: https://doi.org/10.26599/tst.2019.9010051

2021-04-01

Abstract:In recent years, machine learning-based cyber intrusion detection methods have gained increasing popularity. The number and complexity of new attacks continue to rise; therefore, effective and intelligent solutions are necessary. Unsupervised machine learning techniques are particularly appealing to intrusion detection systems since they can detect known and unknown types of attacks as well as zero-day attacks. In the current paper, we present an unsupervised anomaly detection method, which combines Sub-Space Clustering (SSC) and One Class Support Vector Machine (OCSVM) to detect attacks without any prior knowledge. The proposed approach is evaluated using the well-known NSL-KDD dataset. The experimental results demonstrate that our method performs better than some of the existing techniques.

computer science, information systems,engineering, electrical & electronic, software engineering

Hongying Zheng,Xiaofeng Liao,Lin Ni

IF: 1.019

2006-01-01

Chinese Journal of Electronics

Abstract:In this paper, a new detection method, Intrusion detection based on unsupervised clustering and simulated annealing algorithm (IDCSA), is proposed, it can automatically establish clusters and detect intruders by labeling normal and abnormal groups, IDCSA combines partitional clustering with simulated annealing. Firstly, clustering is described as assignment problem and clusters are established using partitional clustering. Secondly, simulated annealing algorithm is used to optimize the clustering results and find a near-optimal partitioning instead of local optimizing results. The experiments with KDD cup 1999 show that IDCSA is effective for intrusion detection.

Ma Li,Bai Lin,Jiao Li-cheng,Chen Chang-guo

DOI: https://doi.org/10.1109/iccias.2006.294205

2006-01-01

Abstract:Adaptive polyclonal algorithm is the improved one of clonal selection algorithm, and its convergence speed is much faster. This paper intends to direct a novel clustering analysis by means of the affinity function that the adaptive polyclonal clustering strategy affects. The clustering algorithm has the advantage that it does not depend on priori knowledge and has nothing to do data distribution, effectively overcoming the disadvantage that some existing algorithms are sensitive to initialization and easy to be trapped into the local optima. This algorithm clusters large data sets with mixed numeric and categorical values effectively. The intrusion detection system based on this algorithm can deal with massive unlabeled data to distinguish between normal and anomaly and even can detect unknown attacks. The computer comparison-contrast simulations through the KDD CUP 99 datasets show that the algorithm discussed in this paper has much superior detection rate and less false positive rate when compared with AiNet algorithm, the algorithm of L. Portnoy (2000) and the algorithm of L. Jing and L. Fang (2004)

ZHENG Miao-miao,JI Gen-lin

DOI: https://doi.org/10.3969/j.issn.1671-7147.2007.06.024

2007-01-01

Abstract:In this paper,an effective and anomaly distributed detection algorithm ID-DC based on clustering is proposed to realize the DIDS.Algorithm ID-DC,which first get cluster models by using the distributed clustering algorithm on unlabeled training data and then labels these models through algorithm Double-Reference,overcomes the drawbacks of relying on labeled training data which most current anomaly-based intrusion detection depend on and expects to automatically partition the data set into a reasonable number of clusters.At last,the experiments on the KDD-CUP-99 data records of network connections show that our distributed clustering algorithm can efficiently detect intrusions while maintaining a low false positive rate.